Multi-Factor Authentication (MFA) and the TKE

On a system using Multi-Factor Authentication (MFA), you use an alternative authentication mechanism, such as RSA SecureID, to get a one-time use token instead of using a password. The token is used to authenticate your user ID to the z/OS application to which you are running. Since the token is one-time use, any authentication after that would require a new token.

If you use Multi-Factor Authentication (MFA) with the TKE:
  • After a TKE OPEN HOST is done, the TKE replays the user ID and password credentials for some commands sent to the HOST.
  • You must run some of the commands that require the replay while you configure host crypto modules.
  • By default, MFA uses one-time use only credentials and will not allow you to replay the same credential multiple times.
Therefore, you cannot use a one-time use MFA credential to open a host and configure crypto modules on that host.
There are two ways to handle the TKE replay issue for MFA:
  1. You can use the IBM Multi-Factor Authentication Out-of-band server to get a token that allows replay and is valid for the time needed to configure crypto modules on that host. You pick a timeout value that makes sense to you (for example, one hour or one day). When the token expires, you have to close the host and reopen it with a new token. For more information, see Out-of-Band cache token credential (CTC).
  2. You can add the TKE RACF Authorization application (CSFTTKE) to the application exclusion list for MFA to exclude the TKE RACF Authorization application from MFA processing so that only the user ID and RACF password are needed. For more information, see Bypassing MFA.
For more information about IBM MFA, Out-of-Band, the cache token credential, and exclusion list support, see:

Out-of-Band cache token credential (CTC)

A cache token credential (CTC) allows reuse of an MFA token for a limited time. A CTC is generated by providing a token from an application such as RSA SecureID to an IBM MFA Out-of-Band server. The CTC returned by the Out-of-Band server can then be used and reused instead of having to provide a new token for every transaction requiring authentication.

To specify that a CTC is going to be used for a given length of time, create an MFA policy such as the one below:
FACTORS = AZFSIDP1        
TOKEN TIMEOUT = 00003600  
REUSE = YES
Where:
TOKEN TIMEOUT
Sets the length of time (in seconds) that an IBM MFA Out-of-Band token is valid once the token is generated. The value can be between 1 - 86400 (the number of seconds in a day). The timeout given in the example above is one hour, which is the recommended value for the TKE. The default token timeout is 300 seconds (five minutes).
REUSE
Determines whether the IBM MFA Out-of-Band token can be reused by an application. Possible values are YES or NO. The default is NO.

Bypassing MFA

By running some RACF commands, you can bypass MFA processing when an open host is done from a TKE. For example:
RDEF MFADEF MFABYPASS.APPL.CSFTTKE UACC(NONE)
PE  MFABYPASS.APPL.CSFTTKE  CLASS(MFADEF) ID(TKEMFA) ACC(READ)
SETR RACLIST(MFADEF) REFRESH
Notes:
  • The RACF RDEF (Define General Resource) command adds the TKE RACF Authorization module (CSFTTKE) to the MFA excluded application list.
  • The RACF UACC operand specifies Universal Access Authority. In this example, NONE is specified, which is the default.
  • The RACF PE (Permit) command is used to allow the user, TKEMFA, to bypass MFA processing. Specify your own list of users for your installation.
  • You can remove a user from the permitted list with the following set of commands (in this example, the user TKEMFA is removed. You would specify your own users to remove):
    PE  MFABYPASS.APPL.CSFTTKE  CLASS(MFADEF) ID(TKEMFA) DELETE
SETR RACLIST(MFADEF) REFRESH
  • You can also remove the TKE RACF Authorization application (CSFTTKE) from the excluded application list with the following set of commands (these commands remove all users):
    RDEL MFADEF MFABYPASS.APPL.CSFTTKE
SETR RACLIST(MFADEF) REFRESH